youngkingdom/dify
1
0
Fork 0
mirror of https://github.com/langgenius/dify.git synced 2026-05-03 08:58:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(web): restrict postMessage targetOrigin from wildcard to specific origins (#30690)

Browse Source 
Co-authored-by: XW <wei.xu1@wiz.ai>
This commit is contained in:
xuwei95
2026-01-08 17:23:27 +08:00
committed by GitHub
parent cd1af04dee
commit b2cbeeae92
2 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
web/app/components/base/chat/embedded-chatbot/header/index.tsx
View File

@ -66,7 +66,9 @@ const Header: FC<IHeaderProps> = ({
const listener = (event: MessageEvent) => handleMessageReceived(event)
window.addEventListener('message', listener)
window.parent.postMessage({ type: 'dify-chatbot-iframe-ready' }, '*')
// Security: Use document.referrer to get parent origin
const targetOrigin = document.referrer ? new URL(document.referrer).origin : '*'
window.parent.postMessage({ type: 'dify-chatbot-iframe-ready' }, targetOrigin)
return () => window.removeEventListener('message', listener)
}, [isIframe, handleMessageReceived])